About the security content of macOS Mojave 10.14

This document describes the security content of macOS Mojave 10.14.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Impact: Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis

Description: An information disclosure issue was addressed by flushing the L1 data cache at the virtual machine entry.

CVE-2018-4326: an anonymous researcher working with Trend Micro's Zero Day Initiative, Zhuo Liang of Qihoo 360 Nirvan Team

Entry added October 30, 2018

MediaRemote

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2018-4310: CodeColorist of Ant-Financial LightYear Labs

Entry added October 30, 2018

Microcode

Impact: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis

Description: An information disclosure issue was addressed with a microcode update. This ensures that older data read from recently-written-to addresses cannot be read via a speculative side-channel.

Impact: Processing a maliciously crafted text file may lead to a denial of service

Description: A denial of service issue was addressed with improved validation.

CVE-2018-4304: jianan.huang (@Sevck)

Entry added October 30, 2018

Wi-Fi

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2018-4338: Lee @ SECLAB, Yonsei University working with Trend Micro's Zero Day Initiative

Entry added October 23, 2018

Additional recognition

Accessibility Framework

We would like to acknowledge Ryan Govostes for their assistance.

Core Data

We would like to acknowledge Andreas Kurtz (@aykay) of NESO Security Labs GmbH for their assistance.

CoreDAV

We would like to acknowledge Matthew Thomas of Verisign for their assistance.

Entry added December 13, 2018, updated December 21, 2018

CoreGraphics

We would like to acknowledge Nitin Arya of Roblox Corporation for their assistance.

CoreSymbolication

We would like to acknowledge Brandon Azad for their assistance.

Entry added December 13, 2018

IOUSBHostFamily

We would like to acknowledge Dragos Ruiu of CanSecWest for their assistance.

Entry added December 13, 2018

Kernel

We would like to acknowledge Brandon Azad for their assistance.

Entry added December 13, 2018

Mail

We would like to acknowledge Alessandro Avagliano of Rocket Internet SE, John Whitehead of The New York Times, Kelvin Delbarre of Omicron Software Systems, and Zbyszek Żółkiewski for their assistance.

Quick Look

We would like to acknowledge lokihardt of Google Project Zero, Wojciech Reguła (@_r3ggi) of SecuRing, and Patrick Wardle of Digita Security for their assistance.

Entry added December 13, 2018

Security

We would like to acknowledge Christoph Sinai, Daniel Dudek (@dannysapples) of The Irish Times and Filip Klubička (@lemoncloak) of ADAPT Centre, Dublin Institute of Technology, Istvan Csanady of Shapr3D, Omar Barkawi of ITG Software, Inc., Phil Caleno, Wilson Ding, and an anonymous researcher for their assistance.

SQLite

We would like to acknowledge Andreas Kurtz (@aykay) of NESO Security Labs GmbH for their assistance.

Terminal

We would like to acknowledge an anonymous researcher for their assistance.

Entry added December 13, 2018

Time Machine

We would like to acknowledge Matthew Thomas of Verisign for their assistance.

Entry updated January 22, 2019

WindowServer

We would like to acknowledge Patrick Wardle of Digita Security for their assistance.

Entry added December 13, 2018

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.